Referer spoofing

In

HTTP request in order to prevent a website from obtaining accurate data on the identity of the web page

Overview

Referer spoofing is typically done for

data privacy reasons, in testing, or in order to request information (without genuine authority) which some web servers

may only supply in response to requests with specific HTTP referers.

To improve their privacy, individual browser users may replace accurate referer data with inaccurate data, though many simply suppress their browser's sending of any referer data. Sending no referrer information is not technically spoofing, though sometimes also described as such.

In software, systems and networks testing, and sometimes

HTTPD system being tested and observing the results.^[2]

While many websites are configured to gather referer information and serve different content depending on the referer information obtained, exclusively relying on HTTP referer information for authentication and authorization purposes is not a genuine computer security measure. HTTP referer information is freely alterable and interceptable, and is not a password, though some poorly configured systems treat it as such.

Application

Some websites, especially many image hosting sites, use referer information to secure their materials: only browsers arriving from their web pages are served images. Additionally a site may want users to click through pages with advertisements before directly being able to access a downloadable file – using the referring page or referring site information can help a site redirect unauthorized users to the landing page the site would like to use.

If attackers acquire knowledge of these approved referrers, which is often trivial because many sites follow a common template,^[3] they can use that information combined with this to exploit and gain access to the materials.

Spoofing often allows access to a site's content where the site's web server is configured to block browsers that do not send referer headers. Website owners may do this to disallow

hotlinking

.

It can also be used to defeat referer checking controls that are used to mitigate

Cross-Site Request Forgery

attacks.

Tools

Several software tools exist to facilitate referer spoofing in web browsers. Some are extensions to popular browsers such as

Mozilla Firefox or Internet Explorer

, which may provide facilities to customise and manage referrer URLs for each website the user visits.

Other tools include

log

the user's activity.

Notes

ISBN 9781565925090
.

^ "The HTTPS-Only Standard - Introduction to HTTPS". https.cio.gov. Retrieved 2021-05-01.

^ Sieklik, Boris (March 2016). "Evaluation of TFTP DDoS amplification attack". The Cyber Academy, Edinburgh Napier University.

v
t
e
Scams and confidence tricks
Terminology

Scam

Error account

Shill

Shyster

Sucker list

Notable scams and
confidence tricks

1992 Indian stock market scam

2G spectrum case

Advance-fee scam

Art student scam

Badger game

Bait-and-switch

Black money scam

Blessing scam

Bogus escrow

Boiler room

Bride scam

Charity fraud

Clip joint

Coin-matching game

Coin rolling scams

Drop swindle

Embarrassing cheque

Exit scam

Extraterrestrial real estate

Fiddle game

Fine print

Foreclosure rescue scheme

Foreign exchange fraud

Fortune telling fraud

Gem scam

Get-rich-quick scheme

Green goods scam

Hustling

Indian coal allocation scam

IRS impersonation scam

Intellectual property scams

Kansas City Shuffle

Locksmith scam

Long firm

Miracle cars scam

Mismarking

Mock auction

Moving scam

Overpayment scam

Patent safe

Pig in a poke

Pigeon drop

Pork barrel

Pump and dump

Redemption/A4V schemes

Reloading scam

Return fraud

Salting

Shell game

Sick baby hoax

SIM swap scam

Slavery reparations scam

Spanish Prisoner

SSA impersonation scam

SSC Scam

Strip search phone call scam

Swampland in Florida

Technical support scam

Telemarketing fraud

Thai tailor scam

Thai zig zag scam

Three-card monte

Trojan horse

White van speaker scam

Work-at-home scheme

Internet scams and
countermeasures

Avalanche

Carding

Catfishing

Click fraud

Clickjacking

Cramming

Cryptocurrency scams

Cybercrime

CyberThrill

DarkMarket

Domain name scams

Email authentication

Email fraud

Internet vigilantism

Lenny anti-scam bot

Lottery scam

PayPai

Phishing

Referer spoofing

Ripoff Report

Rock Phish

Romance scam

Russian Business Network

SaferNet

Scam baiting
419eater.com

Jim Browning

Kitboga

Scammer Payback

ShadowCrew

Spoofed URL

Spoofing attack

Stock Generation

Voice phishing

Website reputation ratings

Pyramid and
Ponzi schemes

Aman Futures Group

Bernard Cornfeld

Caritas

Dona Branca

Earl Jones

Ezubao

Foundation for New Era Philanthropy

Franchise fraud

High-yield investment program (HYIP)

Investors Overseas Service

Kapa investment scam

Kubus scheme

Madoff investment scandal

Make Money Fast

Matrix scheme

MMM

Petters Group Worldwide

Pyramid schemes in Albania

Reed Slatkin

Saradha Group financial scandal

Secret Sister

Scott W. Rothstein

Stanford Financial Group

Welsh Thrasher faith scam

Lists

Con artists

Confidence tricks

Criminal enterprises, gangs and syndicates

Impostors

In the media
Film and television

Literature

Ponzi schemes

Retrieved from "https://en.wikipedia.org/w/index.php?title=Referer_spoofing&oldid=1200278015"

[HTTP:_The_Definitive_Guide-1] ISBN 9781565925090
.

[2] "The HTTPS-Only Standard - Introduction to HTTPS". https.cio.gov. Retrieved 2021-05-01.

[3] Sieklik, Boris (March 2016). "Evaluation of TFTP DDoS amplification attack". The Cyber Academy, Edinburgh Napier University.

[2]

[3]

Overview

Application

Tools

See also

Notes